23542300x800000000000000017310415Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:19.791{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3936869B917F65D5DCEEF5DDD0EF275F,SHA256=4E0BB3FE12F1386ADE23538D12DB22EC8F8BCB8DBE84548D90EDCB49D47C982C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121018Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:19.469{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7722558AC7D631BE9194A5A739AFEF32,SHA256=FC849F46DD5CA0FF2B0E2E9E2D6624767E604B88A2DE68A57C05E49DF7550492,IMPHASH=00000000000000000000000000000000falsetrue 13241300x800000000000000017310414Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000017310413Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x13bdf599) 13241300x800000000000000017310412Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7dd25-0x21de9555) 13241300x800000000000000017310411Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dd2d-0x83a2fd55) 13241300x800000000000000017310410Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dd35-0xe5676555) 13241300x800000000000000017310409Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x800000000000000017310408Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x13bdf599) 13241300x800000000000000017310407Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7dd25-0x21de9555) 13241300x800000000000000017310406Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7dd2d-0x83a2fd55) 13241300x800000000000000017310405Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:19.008{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7dd35-0xe5676555) 354300x80000000000000001121017Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:37.149{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121016Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:36.966{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-49016-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121015Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:36.664{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-43372-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310417Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.822{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21C8AE037009128C36F84B9E488E7F00,SHA256=BE602EF73C93DDF488326F09219AB82754D1C1A1518244A66339F7CDBCCF8B90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121019Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:20.486{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA77B77E82043ABA226E441068192C63,SHA256=CC34D4A8C042ADE6C6874E2CCB3E2A4C7FDD8ED6C07448C0A76C9495689075D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310416Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.769{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2843536BD7F8798FAA16BB38AEAF1B5F,SHA256=3B9E06A120533999CD185D378E30BDAEE287209E07AB78937B1AF12073205190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310418Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:21.837{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DDFF1FD553DCDCF5BC10F02749D6B,SHA256=0B355908D66200E2D0A0819642334DC7FEAE3A6F890D2912BCBC941BA6EDD331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121021Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:21.486{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6788FF9A10AB64C0A8F34AD52196004D,SHA256=0D41C78ED3A495B505799CA9BE556E0C8813787AD7536C212EE68FF76063A5E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121020Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:39.710{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-55070-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310423Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.840{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA92965BF05517441DAC50A49ADB7A7A,SHA256=73879A06F13AA4C5D834A7492546961AE94982FC6F0117D5104F8361365E6BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121022Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:22.501{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F7561BCACAFB27E9121E5A6D3B99230,SHA256=8C3825081B61FBEE100BD833BA5FF3F3D853317C06458E01BF9C7E8BE8FCCADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310422Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.809{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\datareporting\glean\db\data.safe.binMD5=1157171C0ED2D41CF1D80EED7E671A98,SHA256=9FB8C5A042A9EC835C6CD37F1F6AE414E758713C9FCA1CF7262426F4E9E7644C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310421Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.258{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5381MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310420Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:22.140{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5073CD9F2AA4480FCB35A6D5E97978AA,SHA256=CE3705F1D1FE8EF106186EB26E511C069D31567A87BB29DAA8865EBE26105856,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310419Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:17.077{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58522-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310426Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:23.860{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F185A89B520AF362136D09B545A83872,SHA256=61963224F52F605D16E38E6022FB4DDB9FA8652B2903DB7C4F14885DF1EB0652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121025Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:23.532{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D0627FCB1B1831947B4F426FDEA825,SHA256=EEBCEF879A47E3D01268CBE248EC2CFA84A85BC75D80C7F4CEDE7474E54546D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310425Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:23.271{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5382MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310424Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:18.413{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-35554-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x80000000000000001121024Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:23.401{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121023Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:23.401{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-D3FB-6193-212B-000000000F02}2556C:\Windows\system32\ServerManager.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310486Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.977{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D681A2646D3E7FF3E1324E64CA2F5387,SHA256=EECE634EF8166F3CFC4E546D54DAEB6CC436C09D5621A2D46351B0F8999C9832,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310485Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.930{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310484Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310483Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310482Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310481Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310480Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310479Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310478Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310477Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310476Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.914{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310475Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.910{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310474Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.909{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310473Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.908{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=D4CAC8D363ACBEEB77FC616EFCAFA807,SHA256=1A699ABE0FE1DDA83923E04E5D7CBA096FFBBACF4A5A448829E3A9B135F177F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310472Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.906{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=7F9435AB56C542EF409A8A0F4A8A2E06,SHA256=3D6847C72C5475D9445E73B5AFF1A70127C1F9BCB62C197103BD7E1BD1181AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310471Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.905{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=6FD27B6CED089FAAB1A06A99C5693674,SHA256=C7FC6253BD08AC60D8BC5BFA4C16EB0A867C0C3625D82485CA44DA38DCA8A2FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121027Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:24.569{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68ADAAC463F11E263C9678F3B809BAD,SHA256=30C087E4FE072280C339757D08D4862EF2EA73B0359C48F7D102CCBD9360D047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310470Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DA56C63FA6B997392E730EABEABBFE9E,SHA256=8B82BAA2FE38C75769709FDC669DC233F8AB17C57A56EB0CBC5BB9736D154815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310469Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=D6999CF521D06023AF9E7BC899777338,SHA256=8FF6F2785509EB44B3DCD9D77C0D5DAD06764C351B6C87971EA747D8A882AD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310468Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=D80C6F35940A3A48835EB680B4354F3E,SHA256=DFD4F558F85E03C33F991B9D2292C8CF4753FE84A7CBF124B98655EC06D50A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310467Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310466Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.643{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=355F1C82CFC562F3984F8AF46B4F2D9F,SHA256=34E27870F13F027BCA44945B3F7C6B66C88D64AB04306F33977CA72500A12B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310465Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.628{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=9476138EBDCD72B0827103BB8B87FF19,SHA256=07037B0FB60E06E20F54CAA13285355F85CC0A72042E52CD046B61C5F45A1678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310464Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.628{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CB54FCAFBF73DAFAF4B7E22338C9DD2B,SHA256=5838014C12E2EE0F6FDC6EE191399A52C6AAF95EBA947686A8BF4B79D6EDB83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310463Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.612{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310462Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.565{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310461Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.560{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310460Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.559{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310459Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310458Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310457Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310456Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310455Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310454Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310453Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310452Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310451Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310450Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310449Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=0DBA6F5178E8433D0EED8C5BB5223635,SHA256=262DCBF46B0C20468B29D2908412070388B9BAAF0AFED3693245F92E61E5DE00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310448Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D65C0F2F756552800930D7EDA0264C0B,SHA256=67606ECCDB4FA978F4795C2ABC47767824C6D5AD65C3EE02E0E7445A31CF37CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310447Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.541{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310446Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310445Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=AFD5A023DF4245E323E53D47A0BF9414,SHA256=FEE63ABE7743CA680B6C96024D9EE023C10F7C9BC1929231A663A55A79EF5D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310444Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=80ED9689AB372AAC91B47B347AE5A3BD,SHA256=253E054323EF5921475DD6DFC92942944B17AD7F18FCF851C44F165687F845AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310443Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310442Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310441Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.526{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310440Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.510{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310439Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.495{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=CB54FCAFBF73DAFAF4B7E22338C9DD2B,SHA256=5838014C12E2EE0F6FDC6EE191399A52C6AAF95EBA947686A8BF4B79D6EDB83C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310438Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.495{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310437Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.409{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=7F9435AB56C542EF409A8A0F4A8A2E06,SHA256=3D6847C72C5475D9445E73B5AFF1A70127C1F9BCB62C197103BD7E1BD1181AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310436Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.394{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310435Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.394{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=D80C6F35940A3A48835EB680B4354F3E,SHA256=DFD4F558F85E03C33F991B9D2292C8CF4753FE84A7CBF124B98655EC06D50A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310434Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.394{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310433Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.362{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=DA56C63FA6B997392E730EABEABBFE9E,SHA256=8B82BAA2FE38C75769709FDC669DC233F8AB17C57A56EB0CBC5BB9736D154815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310432Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:24.300{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310431Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.373{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-970.attackrange.local60104-false142.250.186.170fra24s08-in-f10.1e100.net443https 354300x800000000000000017310430Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.371{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50039- 354300x800000000000000017310429Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.369{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50111- 354300x800000000000000017310428Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:20.368{CBEA6AB7-6A01-6192-1400-000000000E02}1100C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50111-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domain 354300x800000000000000017310427Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:19.619{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60103-false10.0.1.12-8000- 354300x80000000000000001121026Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:42.162{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310488Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.914{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3E1A6E966530A764C6A0D43E0265DE1,SHA256=5B1C44235A5FBF6A932649E5E5F933D6BEC8C248A3325C0FC3568F4DA6496E09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121042Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121041Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121040Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121039Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121038Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121037Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121036Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121035Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121034Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121033Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121032Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121031Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.685{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121030Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.670{068A336D-77D5-6197-81A1-000000000F02}2820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121029Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.585{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065ED90A757B035E7E14F7BEAF680BF5,SHA256=0FD8FE16F892E9105FE1C5EFE5767EC44B814FEA05B26F4E7DE5B326F5D1BB75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310487Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.445{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\mm8x5u6x.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121028Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:25.532{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310489Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:26.944{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B597461897201610BCA202551575CD9,SHA256=5094F138538000722E5FCC658F689CA197AC056BD01EB7D729FC96121B56A396,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121096Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121095Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121094Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121093Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121092Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121091Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121090Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121089Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.890{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121088Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.889{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121087Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.889{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121086Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.889{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121085Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.888{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121084Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.869{068A336D-77D6-6197-83A1-000000000F02}2904C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121083Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.852{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7DAF22911A65EB612F8282FFE323E98,SHA256=7874701D7A5747A9E3D4B111E9D0579DD49CF1A107C0CFCEB269EDCA02405B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121082Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.852{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F8DEAC2681D5D9C2EA8F6D9881F867E,SHA256=04933F1D02780A97C1154FF7C9ADF12ECD9F1F3E9169676E38E7E7775E629340,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121081Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.621{068A336D-77D6-6197-82A1-000000000F02}16206704C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121080Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121079Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121078Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121077Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121076Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121075Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0A-6193-5B2A-000000000F02}2524C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121074Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121073Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121072Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121071Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121070Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121069Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121068Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121067Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121066Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121065Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121064Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121063Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121062Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121061Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121060Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121059Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE05-6193-4D2A-000000000F02}4532C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121058Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121057Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121056Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.436{068A336D-6C46-6192-0D00-000000000F02}784804C:\Windows\system32\svchost.exe{068A336D-CE0B-6193-5C2A-000000000F02}4528C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121055Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121054Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121053Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121052Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121051Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121050Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121049Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121048Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121047Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121046Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121045Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121044Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.367{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121043Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:26.353{068A336D-77D6-6197-82A1-000000000F02}1620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310490Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:27.959{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA386D2813A19ACAA9A62E1A65962944,SHA256=3F343ABBD607A5B64D5BFE70E94E8F96CF9C11E622824107A14301FA3A2647C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121098Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:27.637{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2B2DA57BF58061C9BD05E5DEA8D2A0,SHA256=E8431F9527A40FDF8186CC6CC57B042DBB8555467A0F30E8EA78B39C9DA06FD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121097Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:45.280{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-34240-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310491Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:28.973{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7108FA24CE60F99CB4219C28E85B3F6,SHA256=8374A917EA85321B9F084DE3951DC4F2DA9E4BF41FFF49DFF65C648668F4B76C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121100Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:28.637{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55C2DF63B5AD83D6656CFA1B6E1F906,SHA256=227D13E83059AF28853025B05B01564DF4645232D89F20489BC87A99A486420C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121099Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:47.245{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310494Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:29.988{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=715AC2847F07DDE7037E5C06B5FAAE85,SHA256=DEFFE42FC89BC0DDCC664014DC1D91213346C6AE8F6CED4A368AA5B4F2000294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121130Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.955{068A336D-77D9-6197-85A1-000000000F02}35163248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121129Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121128Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121127Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121126Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121125Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121124Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121123Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121122Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121121Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121120Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121119Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121118Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.708{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121117Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.687{068A336D-77D9-6197-85A1-000000000F02}3516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121116Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.655{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6444697AC1CD450AD692FD0F037517,SHA256=BBF0AA92FB696D6292334B7858F3EE29EB96E27981A77B353232E22C3B5E4DFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310493Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:29.210{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D8543A8584FFE949874B5759AEBEEF,SHA256=41B115287ED2E0EC1E1B88E7EF1E9F6FAA0016A6CED2431B6A2A817C8712F3C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310492Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:29.210{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A66728EFCA290B40C6D429D1020E492,SHA256=0456C75A05CB15617064DCA7A0C95DC74B36CF6FE4AE478874CE9BF3AA75A8A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121115Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:47.428{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-38500-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121114Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.238{068A336D-77D8-6197-84A1-000000000F02}61802464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121113Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121112Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121111Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121110Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121109Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121108Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121107Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121106Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121105Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121104Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121103Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121102Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:29.007{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121101Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:28.986{068A336D-77D8-6197-84A1-000000000F02}6180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121144Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.824{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5081DE5B5D6DFA7A04C81A710CE067D,SHA256=5B06320321622FFD0B4DC982C6FB99A20D46C27871CC1A4C94429CDE9CD3CCFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310497Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:30.406{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06D8543A8584FFE949874B5759AEBEEF,SHA256=41B115287ED2E0EC1E1B88E7EF1E9F6FAA0016A6CED2431B6A2A817C8712F3C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310496Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.657{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60105-false10.0.1.12-8000- 354300x800000000000000017310495Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:25.578{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-48992-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 10341000x80000000000000001121143Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121142Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121141Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121140Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121139Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121138Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121137Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121136Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121135Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121134Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121133Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.408{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121132Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.392{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121131Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:30.387{068A336D-77DA-6197-86A1-000000000F02}6292C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121159Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.896{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4300A6E06B1274589CAF7B11F6E9401,SHA256=A3226709DCEE05017E529B688648F5356A573335367F2DDFDAF0FD2D27C8D49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310499Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:26.793{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53978-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310498Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:31.006{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAA7D84018328A7BA2CFB740C65D1F5,SHA256=83D30DE9DE0FC02933876D25AD6025712E70FDB242AC04A7F020C69A97AA3E64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121158Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.343{068A336D-77DB-6197-87A1-000000000F02}41726684C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121157Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121156Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121155Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121154Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121153Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121152Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121151Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121150Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121149Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121148Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121147Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.093{068A336D-6C45-6192-0500-000000000F02}4081764C:\Windows\system32\csrss.exe{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121146Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.092{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121145Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:31.072{068A336D-77DB-6197-87A1-000000000F02}4172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121160Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:32.959{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D94982754DE15D3469AF397623F53C81,SHA256=C94EE3460ACC8155E16EC928B308DBF7E0DB53CC3880A1891C15269DF62E6801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310500Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:32.024{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9E453B3B4FAA332623AC3307BEF22C7,SHA256=60B0C516B00D1F6168A86091EAF1C62365C2E02BDBFFD1795C072D4CF65DCBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121161Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:33.994{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4179049B75B1070E34B9355F775CFE6,SHA256=DD33D49B1D10E46335B91C467CC63CA2C5438E254941A78283EE50A5BDDC7EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310501Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:33.039{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E1B9F609EF78C9081787B6E60C1808E,SHA256=9EDB41B09DC0E7FB18635A77E5451985CF63513B191A17939DE169C7FDAE48B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310503Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:34.568{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C38D58D31CE452604298EE1E400ED7AB,SHA256=488BC0A97CD24C9D68AA2E7070295587A1E233249E6C0ACA2901E19692B087C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310502Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:34.053{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D88E85AFA955FBE00CA99DEC5DA09DE9,SHA256=C6479781A0E7D01FBD68FCBD735327E6B6FF22D98ACDFE478E2EBAB841163D99,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121163Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:53.205{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121162Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:35.160{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A10875F1BFF09FBF238A7FB01AD1611,SHA256=29BC721B4D79F89D71D11D4071C5F323322E12E95C6C8EB3584911904FDDAD1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310505Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:30.747{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34896-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310504Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.068{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A3F20D738443965994ACBBEB3014B6,SHA256=D355FBB309E2D38102FC9C74862A66114D10F498E46BBFF04AE193B0A88DA796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121164Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:36.175{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8186A2CDB2ED79693E3BA3CE8A38D6C,SHA256=8137C0F838B9F6E9711415B35812B950CA904FA834199AF4CAF0F4FFE1E46E5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310507Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:31.674{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60106-false10.0.1.12-8000- 23542300x800000000000000017310506Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:36.087{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D327F2CE0C310B93CAB47F20FE7BDB9,SHA256=F80B0443598EFC5DD1F892F40E3E2C15355C548579E55215C895A82CC6A2423D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121166Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:56.256{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.59-15602-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121165Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:37.195{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A935E29DCFECC1D911146E563890D11,SHA256=1C33E06486E9C77CEB39D84582C6E61DF7F2781940C9B67BC975E43F4AE5649F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310508Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:37.104{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D0F98ED97D74CCFCE75FDEA03583B4A,SHA256=2CF02207A3AF9FAA4367FBE80B0120653A4CB66FA8517136AAD0A1190F23770B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121167Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:38.277{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66BB4D4BDC1ADBAB22C553AAD01F886C,SHA256=7E75BF3EB56446BA3E019A63CDCBF127C83AF053C4834DDBE15EBD220508E714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310510Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:38.769{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B412406766C9585E47007176B2B8E89B,SHA256=EA71A99BE6AD8CC83272683AEDE8C5BC41E47AF64D2B5EE2264E5592C783D701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310509Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:38.138{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AD53582D62540F59ADEC8390EF17D3,SHA256=F9935BA140ED6791E357CE30AF814E27E90CAF834555FB98D7606731D4D18C0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121168Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:39.295{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=838E8A6CBDDCED5D18B5787CB17B7735,SHA256=D1F8120875FB4861167CA19117A06989C5FF9D4A2D0A0B2917FC90F0A36036FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310513Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.306{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60107-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 354300x800000000000000017310512Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.306{CBEA6AB7-6A11-6192-2700-000000000E02}2876C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local60107-true0:0:0:0:0:0:0:1win-dc-970.attackrange.local389ldap 23542300x800000000000000017310511Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:39.153{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8C43D489D6BC900EE2A13730FBDF6CE,SHA256=7351A7BBB16C2813401E4F4B261BD934030247209CD8BA6000D0498E43483DED,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310515Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:35.647{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-45556-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310514Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:40.183{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29C5D51874953E5ED884EC2EEC24E6A,SHA256=3FE001C2886BC0F100B99D84640A1866A306C4FE64016CB6C1F53308801280C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121170Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:58.276{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121169Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:40.361{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9946E1922FE4AFBCE868AF6CAC602B7,SHA256=8ADC164F482998B6C2E64146DD6B6A833B996FF2E09DD3E5C23247752974ED22,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310517Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:37.672{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60108-false10.0.1.12-8000- 23542300x800000000000000017310516Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:41.184{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EB8252429420D3A47C7E0DB78BF520,SHA256=7BE65A83DE20325E859A32BB8778147DF9C8F526F93285C6A603157D09CD91BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121173Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:41.362{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39CE1CA058819EF96388F228FD694A5,SHA256=A86AAA86E07846CBB063059C047A2CA5E53FF22CD19908C68AD3E30AE7768792,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001121172Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:41.362{068A336D-7D1C-6196-DA82-000000000F02}5628C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\SiteSecurityServiceState.txt2021-11-18 16:24:43.684 23542300x80000000000000001121171Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:41.362{068A336D-7D1C-6196-DA82-000000000F02}5628WIN-HOST-273\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\SiteSecurityServiceState.txtMD5=06F3483D3FC62C8C15725B743374EF61,SHA256=D663215C1D4F5243BC484DBBE6E74F3661E404BF668672B7A39DE875C339CABD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121175Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:00.886{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-36080-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121174Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:42.377{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D49E905233EC1DBD08286CD2011F46C,SHA256=A80D0EDB76F2981F54B307A7BA8E7F4A7E6F86F90A77E5D15420C41FCC85C33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310518Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:42.202{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC343AF32D9C5C651604421834A2601B,SHA256=200F0836EB5865C3C0A20E7A9A9867984431A35521521F0020A6C1EB9DC7CA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121176Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:43.395{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE6EE00B91A3126CD026799F53B3B8,SHA256=CF4C96749B118F992499CE4133F9847EC9B6CC3451E0DAD888A1F48C6007DEC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310529Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.720{CBEA6AB7-77E7-6197-D29E-000000000E02}68687580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310528Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310527Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310526Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310525Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310524Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310523Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-69FF-6192-0500-000000000E02}408524C:\Windows\system32\csrss.exe{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310522Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.520{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310521Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.499{CBEA6AB7-77E7-6197-D29E-000000000E02}6868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310520Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.220{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E341CC1A1A66085DE7DB8F90E9F6EFC,SHA256=54931C35BE0B1997D1926A42B8752BE416554AB1879A8A0B23434594C9E06F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310519Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:43.220{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730662B963A50B08218C66DDC0268738,SHA256=666E6E1DDC86E696A4429F0B6635CCC921CDD61F641CB1C429129CF0D24644EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121177Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:44.532{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864160DE7D98722A2EE2E9458E8C34AB,SHA256=136F8DE284E842AD6431A190FF3A593B1EE94E266D4D8711CF4B845B023A9FD7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310548Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.883{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310547Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.883{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310546Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.883{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310545Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310544Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310543Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310542Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.867{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310541Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.868{CBEA6AB7-77E8-6197-D49E-000000000E02}7456C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310540Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.535{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86DF31EA5A647E986E7871772108897F,SHA256=39322AF51313CB743C0E6E5DA1D96109262B2FF0B4200E41E31BD785CA3C905D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310539Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:39.533{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-53744-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310538Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.235{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB5B6860F5BFD438F561A4DA77F2164D,SHA256=EE921E4AE7C31323AC8B66DFD4040140B6E026D60B8E5CD65DDC00BA28E690B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310537Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.200{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310536Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.198{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310535Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.198{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310534Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310533Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310532Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310531Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.182{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310530Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.183{CBEA6AB7-77E8-6197-D39E-000000000E02}4384C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001121179Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:04.193{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121178Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:45.648{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE969CBDDD062570C6A06FC186434BF8,SHA256=32DB538DE7E3246B80CB7932895F366256AAF6E06F598603C8AE5751D9AC9C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310559Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.883{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED07604E0AE4C0D40CC40325C62E398,SHA256=003D6C81664A0D33540BD0C1AF9146D0E9696FFB7E23A6E1F08AA116C990CB95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310558Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.782{CBEA6AB7-77E9-6197-D59E-000000000E02}58925524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310557Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310556Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310555Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310554Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310553Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310552Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.582{CBEA6AB7-69FF-6192-0500-000000000E02}408492C:\Windows\system32\csrss.exe{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310551Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.567{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310550Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.567{CBEA6AB7-77E9-6197-D59E-000000000E02}5892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310549Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.251{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C6D97C10EC38418D70FE7940AD7ABA,SHA256=DE44BBB1453A60A0AFBA6ED761E37981F8D22F3292F02577BE85A321ED361335,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121181Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:04.520{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com29152-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121180Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:46.778{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FA6FC3FBA5D1190D7DCD3CF1E521F10,SHA256=24C7D1E2B9468850D40D32688888E9720E8517EA42C219AD6161ABC84BDB618E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310576Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310575Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310574Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310573Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310572Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310571Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310570Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.951{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310569Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.934{CBEA6AB7-77EA-6197-D79E-000000000E02}9120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310568Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.298{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D6A8BBEB3259EC57BBE4DE4F6F80F7,SHA256=8911DB9962EF588CBEB92C9CF2B39949669CB919BDE4380F94F724495E20C787,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310567Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310566Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310565Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310564Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310563Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310562Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310561Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.266{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310560Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:46.252{CBEA6AB7-77EA-6197-D69E-000000000E02}7956C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121184Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:47.849{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE173B1D1161D28163DDF6BF394F30B,SHA256=5198D482CF1BA1BA992BF5A1CE0CE42072B46C5DB70A7A00D8D9FE4822344784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310593Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.851{CBEA6AB7-77EB-6197-D89E-000000000E02}56245748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000017310592Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:47.697{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\583610C9-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_583610C9-0000-0000-0000-100000000000.XML 13241300x800000000000000017310591Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:47.697{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51\Config SourceDWORD (0x00000001) 13241300x800000000000000017310590Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-SetValue2021-11-19 10:09:47.697{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_9D186EAE-3FAB-47AA-9E34-ADCAE99EEC51.XML 10341000x800000000000000017310589Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A9A-6192-B000-000000000E02}1056764C:\Windows\system32\conhost.exe{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310588Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310587Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310586Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310585Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310584Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-69FF-6192-0500-000000000E02}408424C:\Windows\system32\csrss.exe{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310583Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.635{CBEA6AB7-6A9A-6192-AC00-000000000E02}29243444C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310582Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.630{CBEA6AB7-77EB-6197-D89E-000000000E02}5624C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{CBEA6AB7-69FF-6192-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000017310581Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.466{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310580Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:42.734{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60109-false10.0.1.12-8000- 23542300x800000000000000017310579Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.298{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E1DB9E1222CDB7C3EEDB33325E0553,SHA256=936A7F03D0E3882017E4655ECAFB41CE9FE9815E8BBEEFB2912DF840BD0A1ECF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121183Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:05.914{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-55552-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121182Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:05.816{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-46856-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310578Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.251{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42ABD3D4A51EEB55F0028E750200B600,SHA256=87013CEC3FD49CEF2AB0D0DA6708B913C775DCB988FB2EF3D9DA154542AA04B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310577Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:47.114{CBEA6AB7-77EA-6197-D79E-000000000E02}91207536C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121186Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:48.879{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AF525BBA2BFEDFF46880E6DF35BD2B9,SHA256=24A3AFC4815663996964010DE21A1F64ED16C6BF008A6700E75CF1C7DF744018,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121185Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:07.090{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.219-32032-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310595Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:48.513{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5D820BF2DA00D08E9F640DB300FD241,SHA256=339FC51C8445F871A27EB594DEB3D82646E9F1D2E3FD7D0EA19B1A30B06E20D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310594Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:48.335{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E62C208CABE66C756C0DA694A903FE16,SHA256=02CD4F9A4F627010646D8FD15D9C5D5882DBB93ACB11AC3DDFB32D833FBAAF29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121187Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:49.899{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3C1FA5EB90F430B87C77EAB315E390,SHA256=B084C4F3790A5E2C9D55216EED470325952948BA417F7B94A9062FB2BC331FDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310607Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.980{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A01-6192-1500-000000000E02}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310606Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.980{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A01-6192-1500-000000000E02}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310605Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.980{CBEA6AB7-6A01-6192-0C00-000000000E02}8442200C:\Windows\system32\svchost.exe{CBEA6AB7-6A01-6192-1500-000000000E02}1232C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017310604Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.264{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60113-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310603Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.264{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60113-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310602Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.256{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60112-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310601Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.256{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60112-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local389ldap 354300x800000000000000017310600Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.240{CBEA6AB7-6A01-6192-0D00-000000000E02}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60111-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local135epmap 354300x800000000000000017310599Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.240{CBEA6AB7-6A11-6192-2E00-000000000E02}3004C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local60111-truefe80:0:0:0:94c9:4025:244e:d18fwin-dc-970.attackrange.local135epmap 354300x800000000000000017310598Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.002{CBEA6AB7-6A9A-6192-AC00-000000000E02}2924C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60110-false10.0.1.12-8089- 354300x800000000000000017310597Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:44.872{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-37444-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310596Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.365{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8CB8A33DDF3C5BF991E963AF2F225F5,SHA256=B81C3F5764BD2CD32E46DF62ECE81EE9D7B855B88119C09BCE0D16B3B77F4E25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121188Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:50.949{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B8965F5C09D5339A9940AD885FBBA1B,SHA256=5081BC7E6D5EE5605C69FC3B3A65C3DFB7B1082BDCA761C3D53D6BCD2329AD5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310609Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:45.646{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-39184-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310608Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:50.395{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3F21080652A1D2BFB7604E07B6A05C,SHA256=D658D743458E8790523C12F601A9A85A8E6A789B507F6112829FFD8173762206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121191Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:51.980{068A336D-6CBE-6192-9900-000000000F02}3876NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=47924363BFCF3B4A097B86E40E4E7419,SHA256=8356DEBEE939B571BD7D6AB4B2A446F14009311B96140D9F0ED5895D79B46548,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121190Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:51.964{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67F6CC5ED135C444B7FBDD4CDB6912E6,SHA256=1E8154105C4C55BAC874333B416CAEE3ED47BEAF909BF6E04A75DCC0DF44F624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310610Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:51.410{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6DAAA83B03DAB09582553EB8FBBD86F,SHA256=8FED43C6BD17EF65BD216D1E67E101E1601D727E6C65AFA9CFB46A64D51E6F6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121189Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:09.086{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-34276-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121193Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:52.980{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD069E69A000404AD1FC59EA20245FF0,SHA256=240879174666379CD6B64C602225B2CB2F99F87F2083823C18AC0CE3F655BEAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310612Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:48.661{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60114-false10.0.1.12-8000- 23542300x800000000000000017310611Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:52.427{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B7AD73200EEA2128935B7A864C44A64,SHA256=83998D29BE099089D6683586A0B7F893F3E9784C285311564A6D4FCF0D60A642,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121192Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:10.196{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54338-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310614Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:53.446{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F9EED50FC5A593A35D3789BCB32E2E2,SHA256=2CA071A72170188BDC3BE6A032DEA51FEFDAEDBD581744CABC46376B670A3D00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121194Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:12.027{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x800000000000000017310613Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:53.246{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0734C8F39020C013782CC7D51A07933D,SHA256=CBAB93FE176A424CC8FBDA7D5394E5E2A62276F85E087AFA0C725E7F0B809D38,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310617Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:50.502{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-49520-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 354300x800000000000000017310616Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:49.638{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-45464-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310615Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:54.461{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2517D96709AB78AE7E3082CDF468F7B,SHA256=E886EFE5030A89B117F92260BE863F69A0353ADEDC51BAE68C2832CB6F84FD0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121198Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.136{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\respondent-20211115141851-5373MD5=7D5F4D75B6205BAE0B0CD245353355AE,SHA256=FF29CB026251AB2F621324A386EBB740C0EEF4A7746CD7FA9FAF12CBD8E709CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121197Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.099{068A336D-7D1C-6196-DA82-000000000F02}5628WIN-HOST-273\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121196Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.097{068A336D-7D1C-6196-DA82-000000000F02}5628WIN-HOST-273\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\j82gpjv7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=2E070058E9056229AE7F3CF6085B9B44,SHA256=D6473135BA2E8D154C6D32353CB218529F8534C11A85630F29BC1E6699C6B738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121195Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:54.000{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0252A7FA2951BFDA16FD7EFFC48AF626,SHA256=E15484092A16DCAC18301436861E29B1EAF16AD716DC68360650B8DB628E2322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310619Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:55.492{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F6C991521198E2E51C54B2E287D67B,SHA256=1B0B3462B83062654E5A6821F267F52DC79889C8E70A5BC20D2AA371663A7BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121200Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:55.150{068A336D-6C47-6192-1B00-000000000F02}1952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0888b3dfc16cad471\channels\health\surveyor-20211115141847-5374MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121199Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:55.003{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AABE65A84AB5117E9914339439CA11,SHA256=3228F28209FEF2BF0E9504E55DA18C18FFA739DE6E571C3D4D10098E41D4BB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310618Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:55.176{CBEA6AB7-6A01-6192-1100-000000000E02}404NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EFB11262EE9F06B291E0156EA35155D1,SHA256=19F7A5867EB66A2E9E9F48AC4412ACCEACF1757EE025FCE0261B58985E613E37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310620Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:56.493{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E0CD4E6CCFBE8CC420184AD59BE89C6,SHA256=3744AD5243E81EA2ED10FED909A64E847B0AAC344225DF73949898AE64D30E93,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121202Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:15.212{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121201Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:56.064{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE470C965249697C1F5B1609FB70ADD3,SHA256=7E5DDC801F3DA81CE363358E79F4FFBB3ED706987604003EF7DDA67FDCE866E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310623Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:53.580{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-56538-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310622Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:57.494{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C74F35DEAB922280AD60C010BDAC5BD,SHA256=787016D80506C522C267CD22EBC6DA94424BB9630975841308199F71EA78AAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121203Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:57.064{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A644F9F28B2E8112A702CAF010778F,SHA256=9F395A23A5094804093C0D8B73B0CE89DAA0FDEEC5E1C78EC9C2E9D88670B73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310621Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:57.193{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEDF6FBC5C3B950DFFC5C6210AA4E8B,SHA256=EBD0221D5902D95278283DD196B663EFACC3C27755B8228E131E0DECAB87886D,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310625Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:54.697{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60115-false10.0.1.12-8000- 23542300x800000000000000017310624Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:58.495{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832B502BDB9906BD902ADE53B5D9C378,SHA256=E3955C011ED59605D512319B1E346EF867F25A48F4F36B4C7D081040BFCBC78A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121204Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:58.080{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=351302F0DF94FF2D1D3C0FEF026DE0A7,SHA256=D09D2430BC114958DC5E1567144C33DC31D2D9336DC8040717B5839E9C9D5CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310628Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:59.630{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E916ACA7AE0C40C28219F05F83785068,SHA256=DD92ADAF04EA36CA68C9EE96BD4C31E5A2D22519D629F407C35F507EDCB395F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310627Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:56.032{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-33692-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310626Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:59.510{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=044F11A03EC20690053C6E91FC77538F,SHA256=D3D3A5587F5DBDB7D55BB23B54612B91FEF47BCC635AA913AFEC63C0E1D55F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121205Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:09:59.119{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D0BB5F560004E9E58BAAB7EAEBF1186,SHA256=7A7016D5D79CD5CE8E40C60D8A12C87AE468BE8C746008F95DA4E961BD8B8FC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310629Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:00.530{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C70FFC28A2D45712CAFA16E69AEE984,SHA256=3EC592B1B526E5A89FD9AF132AD44582AB210D423146DB912E9DE10E54976E1A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001121208Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-SetValue2021-11-19 10:10:00.797{068A336D-6C46-6192-1100-000000000F02}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7dd2d-0x9cff94ba) 23542300x80000000000000001121207Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:00.119{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B80FB5C285D00FAC717A58776F33441,SHA256=D74AB8C61F583047A23492709ACC968A716F12FC57E8028B93EF3C8B5FA9A2D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121206Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:18.173{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-46044-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x800000000000000017310630Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:01.545{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197909D376AF3866B46538DD32644B29,SHA256=F7D5D0D4341A7FE2C038024FB384BB2B719FBDD67A13644A9BAD1C8250042522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121209Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:01.151{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0884A25DAC6D79FE259F39D5252EDB6F,SHA256=CB0C22AE342E4E210AA4388593AD28CD1469C136BF9C7968C63D24C5FD6DCCB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310631Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:02.560{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C836DED86DD1D49BC1411B907B717D,SHA256=921B9E692ABB24D9919D86581657958718881D083B56A19D5F56A9B7054C3F39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121212Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:02.151{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC3EF0AE3E0C676CC3E2F3E1B1D089CA,SHA256=DB163F982B25F1683569984281C967E1B3D31A34B6DF1F458EDBB2978C9A2FD3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121211Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:20.844{068A336D-6C46-6192-1100-000000000F02}976C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-273.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x80000000000000001121210Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:19.747{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-53690-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x800000000000000017310633Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:09:59.711{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60116-false10.0.1.12-8000- 23542300x800000000000000017310632Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:03.591{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C45426C059E112486070242D072B86,SHA256=76F86D6C4F9736A6A42838A74B7B9A3314E8B8466A623B63D5D95B5166204A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121214Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:03.166{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9096FADA077F57FD4F6BEEF225E331DC,SHA256=23E3090A00F979ACC8FD3C5670FAF62ED2B3A4520C3CF661D20CFA8DB37E3453,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121213Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:21.164{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x800000000000000017310634Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:04.591{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DCB4A2963F11D32EEE5AFA5893D439,SHA256=C6AFF6550C78CE2D78BF5074B583D9DF9A63E1266AEAEA3B2DE32AC6534D1043,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121216Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:21.806{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-58164-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121215Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:04.181{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67BA7BF5398CFA4FC6DE51E96381999,SHA256=7B9DA518F3C0A66D90137000F752456B1CAADF851A64E63B4B044B03EB2CB7E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310635Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:05.606{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D905FCA1234F15E6C67956805F6AE813,SHA256=12C9004E5EC5637F4E8EFE4A076C9A26A2B0931C980DEE61771671D09FF9E393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121217Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:05.205{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EE23C0ED8335A81006600CA7EA77FEA,SHA256=F37EA1D55F87116D5DEBC5D432A61180E79A03C5E3644D7FB2D36738465904C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310638Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.805{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D9F6B1BFA289F6FBC6B7080C1E2D54,SHA256=B241A50214FE520D6C5B9642989FFF4EC9B8D33E02A3E39106C287680046665A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310637Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.805{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B453D68F37A95F31D643253793295D0,SHA256=5C233C3E344983635F670F208D9486642CC66D5D861A8D9098AC555E4780E26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310636Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.624{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7487FF4A9DDB90C534B061BD9C0ADA36,SHA256=A41247519FD0B5F5E1774B5B4703A0DE98DB38FC047933B51DF5F44AD168A91B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121219Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.078{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.114-54036-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121218Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:06.224{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D42D478F098B32CC553E4C41506FD4,SHA256=5C096D361AAD47BBA2CD8EE090C33C349ACE10213F5001702653E5D6F5752BDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310641Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:07.942{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=83D9F6B1BFA289F6FBC6B7080C1E2D54,SHA256=B241A50214FE520D6C5B9642989FFF4EC9B8D33E02A3E39106C287680046665A,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310640Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:03.192{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-47766-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310639Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:07.658{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4F7F8B27B95DB4A9FFE7F3A6CA1D66D,SHA256=D62858BBEECEEC8A0DA87F54F3164C41673F284DF60F47221120E0F4AC5A45F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121221Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.186{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121220Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:07.285{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0D632D86842B8CABAF0842119FAAE3,SHA256=3B5C26B163FCB93477BCE11EF77D601CA53A7348ADAFB736DEDBB0006CE78C77,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310644Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:04.756{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60117-false10.0.1.12-8000- 354300x800000000000000017310643Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:04.292{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.82.77.234scanner.openportstats.com8097-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310642Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:08.688{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F933D2B7B28665163A5F7E40FD0F2487,SHA256=8A1CBB355605F81812B85B5A35633147B46598AB30CB27CE73557A750D32A96B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121222Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:08.304{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCAE213E30B2E33E007E8B8F3E5128B,SHA256=6B10C9482F85CA7CC681D6D8197DB6FB009BD042A22770122AE7C880043A54A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310647Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:06.225{CBEA6AB7-6A01-6192-0F00-000000000E02}364C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-54736-false10.0.1.14win-dc-970.attackrange.local3389ms-wbt-server 23542300x800000000000000017310646Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:09.821{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=82672450FD93E1F0951588D8B7A04F69,SHA256=93DD87BDE3BADA2B5B4D96803B2AB0AE73F927A7BEC6D099616F326169BD769F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310645Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:09.703{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBFAF16D1CEDB59E146E2F2E27191D16,SHA256=C69DE4D955D772D496A22C9E4B2DA2B5FF6FE8A6726D590B4051084B500F8330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121225Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:09.801{068A336D-6C46-6192-1200-000000000F02}984NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=918943FF09E7F529610B86C14F482DE8,SHA256=DEE889148F9B1730DDE6EC40B47277978C71F130BE32014FFC4402399A7FBDAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121224Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.402{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-42502-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121223Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:09.322{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9833B16BE53FC092BEA6F49B289F3CAB,SHA256=87714EE9CDDE5679F60CE6FD8CFCBCFA126196E133CCBB1ACE7489F8BFA25F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310648Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:10.724{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3026DE38E9B491068D3229E92813B8,SHA256=651B4BD5482B338DCA651A567443FF3C22C8F8E6FCEB5E22BA45F335E3CE3F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121226Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:10.322{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3145824A07FA0B6913BD586FC6D530F6,SHA256=4B31BBD3B2CAFC09ACFB750BFF911326E4FFB32C184E0860ECAD36E9A938555E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310649Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:11.754{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32E4A71A60B7E3528B4771FB4D3BF0FA,SHA256=ABA590FFCA142CA4F175A0212A2CD526DCBAEE76BD030852CFB25449A3ABE418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121227Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:11.322{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C054CFF17A52B1E96BC7890C587E442,SHA256=6C8C8386D55C8C2A2053ABFF23C344D75009887CE9704188031114EE1A516D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310650Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:12.785{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=788FE3AAB22CC0C85D92BD81E1E10CD1,SHA256=9E4F3EFBE9E427D38C404885928FB4E70EDAB115C4B652197334EBEEAF854C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121230Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.822{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-45602-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 354300x80000000000000001121229Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:30.546{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.36-44790-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121228Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:12.323{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE22A039B3C6A5D44792B71E68B3F517,SHA256=1A508E4F330F0DC80B032D60A34AD059477C02934A2609538F60921414BA317E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310677Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.822{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AA233C461200E6514C85FA3327AFB8D,SHA256=7623EB1D1C3A378813002D684CE1EA28C7B8C3E87551520860C2B9DA0C09EA5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121233Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.285{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001121232Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:31.245{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-54346-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121231Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:13.404{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CB028531EC9E41477A11B08AEF66976,SHA256=ED8AE4AE0436965204FF5D85874C4AF09A91979856066632C697398105B748E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310676Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310675Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310674Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310673Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310672Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310671Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310670Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310669Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310668Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310667Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310666Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310665Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310664Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310663Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310662Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310661Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310660Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310659Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310658Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310657Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310656Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310655Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310654Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310653Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310652Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310651Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:13.169{CBEA6AB7-6A01-6192-0D00-000000000E02}904928C:\Windows\system32\svchost.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a31|c:\windows\system32\rpcss.dll+43b62|c:\windows\system32\rpcss.dll+43e9f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310678Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.853{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670D37EE30BFCB8FCFF27DD839843300,SHA256=C2AB82A967097A20BDFD353EF3A15CB1BF3B18362B4A317F101B83BEC122F0E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121234Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:14.425{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DB6994ADCB8613B5FC6FBC5BF80E55,SHA256=B90207157CB1354602F1B62CC37AA88D99B183AEEE6D191D487E5EE43C7F2C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310680Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:15.854{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773659F35A37D73CD661C8F51BDBA572,SHA256=9B048F5A0FEDFE39FC48004941170C61630A9F3AEBC269E37661F716EFD62952,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121235Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:15.440{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53969B346149AB5BCAF7788804C58831,SHA256=24B16624F5C2A9DD3FD1B5CF05F994FC2D00AF9440625951AC6E4F6C630C5827,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310679Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:10.668{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60118-false10.0.1.12-8000- 23542300x800000000000000017310681Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:16.869{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2242290B4F414EBE929AEF0691C7F1F5,SHA256=689933E87150B7232BCA5DBD7A9FE14AB06FA79C6D82671BEF7E69EA094881E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121236Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:16.456{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76576D1ECFB820F677E8C1A6BB2AF973,SHA256=2FAD4233D41C70797402CEA40DCAB8087C08B13C9533C3E21955288B354D3175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310683Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:17.871{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5B04077E345447EA1B324B7631640A,SHA256=FB8F41F5A2937616C7BDD3775199C1CCBFCAAC58B5DF13A3496DD6BD63B9F83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121237Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:17.471{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC6504C9EEE3E05F201D41A9B2E9919,SHA256=72FA3C1F6F4ACAFAF8D6956793D25DD52CB61A8677BA60AE71EE3C2F03AD9AA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310682Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:17.116{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310710Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.882{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5569B7B28C93AEAD1AC2CA048CEF2E5,SHA256=337A1FDD007CB8EF6F57D0227D815D3186CA1F9F125E63D02AD278BEEF8F143C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121239Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:37.203{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121238Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:18.507{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CD17F025D81C81A5FE3C0AC6DAC321C,SHA256=370B489FA0BE8832122FA5F45AECFF6B3F2AA1CBF8667149BEBF28A8A3BF4544,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310709Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.281{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310708Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.279{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310707Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.279{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310706Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.273{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310705Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.273{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310704Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310703Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310702Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310701Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.263{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310700Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.261{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310699Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.259{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310698Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.259{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310697Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.259{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310696Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.249{CBEA6AB7-6A01-6192-1600-000000000E02}12803084C:\Windows\system32\svchost.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310695Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.249{CBEA6AB7-6A01-6192-1600-000000000E02}12801336C:\Windows\system32\svchost.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310694Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.241{CBEA6AB7-780A-6197-DA9E-000000000E02}56363612C:\Windows\system32\conhost.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310693Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.233{CBEA6AB7-6A01-6192-1400-000000000E02}11008956C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310692Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.227{CBEA6AB7-6F11-6192-D304-000000000E02}40923604C:\Windows\system32\csrss.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310691Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.218{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310690Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.218{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310689Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310688Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310687Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6F11-6192-D304-000000000E02}40926000C:\Windows\system32\csrss.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310686Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.217{CBEA6AB7-6397-6196-187E-000000000E02}18565180C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+3c91c|C:\Windows\System32\SHELL32.dll+e2087|C:\Windows\System32\SHELL32.dll+e1fe5 154100x800000000000000017310685Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:18.211{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{CBEA6AB7-6F13-6192-9E98-2F0000000000}0x2f989e2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exeC:\Windows\explorer.exe /NOUACCHECK 354300x800000000000000017310684Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.723{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local65390- 23542300x800000000000000017310716Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:19.889{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D70608DB0F5ABD599F42A824D113357F,SHA256=56EA904342A9B8F46210E679F2B7E90E8A8F52A839FB0B2E1100687B6E892665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121240Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:19.524{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBB63CB52E1E61D9DC44EEF492593DC6,SHA256=BB4F15F3BB7CEE3D05999B2B349F4E40C2DA519DA791C071670F3FB3CC2CBE07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310715Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:19.264{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FB72207C416C97C879F158F799A8B24,SHA256=AE4B42D812E0631E913BC08EF7F01322FACF52E09E433A3C60A125854D145622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310714Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:19.262{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=025EC85E81CEADF382119E81BFDAB1AF,SHA256=FB74F373BB73AA1DA3C04007C17C9AB2643A835B4460EC77BC6B165BFE9F2E34,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310713Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.726{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-970.attackrange.local65391-false142.250.185.68fra16s48-in-f4.1e100.net443https 354300x800000000000000017310712Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.726{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local63174- 354300x800000000000000017310711Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:14.725{CBEA6AB7-6A11-6192-2D00-000000000E02}2988C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-970.attackrange.local50962- 23542300x800000000000000017310718Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:20.894{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CC0FF8319945355E1EC733C0F2C450,SHA256=2F6397E70623E668242066EEE43E162D51CBD904808D71F3F5D782A061FD9986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121241Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:20.539{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C37B38E7444A625C9B88A85E303D7A,SHA256=DB6693C93BCFF95ADA595529B3B43E8748C98C162AB96AF27DE2CC4C56104C3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x800000000000000017310717Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:15.773{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60119-false10.0.1.12-8000- 23542300x800000000000000017310742Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.909{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=726815E1DA249D46C70797481C261601,SHA256=CE7D46C06B80B2A0854667643E60444856280792277D60A6CE79338834694B2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121243Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:39.342{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.98-43788-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 23542300x80000000000000001121242Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:21.555{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB2B299307693C8FAF5CA44768229DDF,SHA256=83D370F0C1C59E9E2FC9E7A0CB74A3191DC2A20FF9AF669024A36A1FEAFE7849,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310741Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.100{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310740Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310739Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310738Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310737Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310736Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310735Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.098{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310734Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.092{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310733Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.090{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310732Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310731Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310730Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310729Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.086{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310728Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.072{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653ea|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310727Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.066{CBEA6AB7-6A01-6192-1600-000000000E02}12803084C:\Windows\system32\svchost.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310726Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.066{CBEA6AB7-6A01-6192-1600-000000000E02}12801336C:\Windows\system32\svchost.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310725Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310724Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310723Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6F11-6192-D304-000000000E02}40921012C:\Windows\system32\csrss.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x800000000000000017310722Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310721Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-6A11-6192-2B00-000000000E02}2960C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310720Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.032{CBEA6AB7-780A-6197-D99E-000000000E02}60049016C:\Windows\system32\cmd.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x800000000000000017310719Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.026{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\System32\dxdiag.exe10.0.14393.2457 (rs1_release_inmarket.180822-1743)Microsoft DirectX Diagnostic ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationdxdiag.exedxdiagC:\Users\Administrator\ATTACKRANGE\Administrator{CBEA6AB7-6F13-6192-9E98-2F0000000000}0x2f989e2HighMD5=547556E6022C3F8814D5C9D59BE746C8,SHA256=D035316F6BDF5009934565079CE30EA49A540492780CA476571C904B18C8518A,IMPHASH=BF1BC5E91C7FEDD371D86092799F9519{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x800000000000000017310747Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.915{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C18930101DD3950D239612298CDE308,SHA256=36856354EF18D6ED3FBE561554E21AA0B976379505ED42760E53DA69355208E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121244Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:22.555{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42E510C7A5C04A03221CD1B2A680317,SHA256=383BFD04A55A3D83D7EBDC30711C345D995C9570A7412E1A81EF4FB9410217A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310746Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.642{CBEA6AB7-6397-6196-187E-000000000E02}18567768C:\Windows\explorer.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+55a50|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8037A4EFD08)|UNKNOWN(FFFFB2CDE74A5B48)|UNKNOWN(FFFFB2CDE74A5CC7)|UNKNOWN(FFFFB2CDE74A0351)|UNKNOWN(FFFFB2CDE74A1D1A)|UNKNOWN(FFFFB2CDE749FFD6)|UNKNOWN(FFFFF8037A208103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad 10341000x800000000000000017310745Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.642{CBEA6AB7-6397-6196-187E-000000000E02}18567768C:\Windows\explorer.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+55531|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8037A4EFD08)|UNKNOWN(FFFFB2CDE74A5B48)|UNKNOWN(FFFFB2CDE74A5CC7)|UNKNOWN(FFFFB2CDE74A0351)|UNKNOWN(FFFFB2CDE74A1D1A)|UNKNOWN(FFFFB2CDE749FFD6)|UNKNOWN(FFFFF8037A208103)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+592ab|C:\Windows\System32\SHELL32.dll+dac6a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310744Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.642{CBEA6AB7-643A-6197-729C-000000000E02}7764ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF13beee22.TMPMD5=F73D9CF608BCA5B177FC2D88CDEE67A1,SHA256=08D601DC82FD263D9DA78FAEEB42B109F6BAE1338BE9B538143592586E744332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310743Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:22.031{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FB72207C416C97C879F158F799A8B24,SHA256=AE4B42D812E0631E913BC08EF7F01322FACF52E09E433A3C60A125854D145622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310749Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:23.918{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5765FA753F98E068DE37B5BA970B5D1,SHA256=4AAE80D7EBBA6E1DD038DCA320101CC6F6879D4FC3A2DECA37A886210B199DDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121247Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:42.094{068A336D-6C46-6192-1000-000000000F02}960C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse185.100.87.251-46728-false10.0.1.15win-host-273.attackrange.local3389ms-wbt-server 10341000x80000000000000001121246Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:23.623{068A336D-6C46-6192-0D00-000000000F02}7844472C:\Windows\system32\svchost.exe{068A336D-6C46-6192-1600-000000000F02}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x80000000000000001121245Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:23.570{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD1883BC6D14D64F6334E1F4F282B37,SHA256=47A1784C7167DE10CBE936478EC3833DD65F13E2E42BBA2F699D79C732A77225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310748Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:23.792{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\respondent-20211115140924-5382MD5=B1D65678BAAFB9FBC346ADDC22B9EF13,SHA256=A60E4A1EB0B1846EE4D092EA74D659E3EDD5022A58AD08DA4DCF9E97FBF70157,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001121249Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:43.234{068A336D-6CC7-6192-CB00-000000000F02}3384C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-273.attackrange.local54345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001121248Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:24.605{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95354EDA3050A3A2F4B3E796F72914C6,SHA256=5CB96AACFBC18ABDDC5A05B737C74A982CB56AFCD38F4A4E37E10496DB091D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310768Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.928{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2538C8A3CDA15BDE87F9700085955859,SHA256=44D0C1C88109446BA51FE5A8200E76BAB7D0A2AC16C17909810FDFDF56820FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x800000000000000017310767Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.793{CBEA6AB7-6A11-6192-2900-000000000E02}2928NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-03effd326efd96c31\channels\health\surveyor-20211115140922-5383MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310766Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310765Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310764Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310763Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.760{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310762Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310761Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310760Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310759Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310758Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.758{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-78BC-6196-A680-000000000E02}8504C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x800000000000000017310757Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.localT1122SetValue2021-11-19 10:10:24.676{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exeHKCR\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\(Default)C:\Windows\system32\dxdiagn.dll 10341000x800000000000000017310756Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.666{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310755Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.666{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310754Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.666{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310753Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310752Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310751Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310750Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:24.662{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121264Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.924{068A336D-7811-6197-88A1-000000000F02}55202620C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121263Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.701{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121262Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121261Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121260Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121259Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121258Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121257Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121256Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121255Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121254Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121253Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6C45-6192-0500-000000000F02}408424C:\Windows\system32\csrss.exe{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121252Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.686{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121251Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.671{068A336D-7811-6197-88A1-000000000F02}5520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001121250Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:25.623{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F48F43C303F6979ABFA4B686802CDE62,SHA256=DF8C6F83934FD7975D2FC18CEA28F70F53E92AFA0A1974B62788AA3BC229DC52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310797Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-780A-6197-DA9E-000000000E02}5636C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310796Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-780A-6197-D99E-000000000E02}6004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310795Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F21-6197-CE9D-000000000E02}4324C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310794Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-68EE-6197-149D-000000000E02}2076C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310793Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-66F2-6197-D49C-000000000E02}4912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310792Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-66C3-6197-CC9C-000000000E02}7272C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310791Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643D-6197-7B9C-000000000E02}6860C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310790Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-799C-000000000E02}3116C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310789Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-789C-000000000E02}4060C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310788Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643C-6197-769C-000000000E02}6724C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310787Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.943{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643B-6197-759C-000000000E02}6696C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310786Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-643A-6197-729C-000000000E02}7764C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310785Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FD2-6196-8F81-000000000E02}7484C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310784Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FD2-6196-8E81-000000000E02}4732C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310783Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.941{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7FC5-6196-8C81-000000000E02}8780C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310782Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.939{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7D11-6196-3481-000000000E02}5428C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310781Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.939{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7D11-6196-3381-000000000E02}7464C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310780Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.939{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-79D5-6196-CD80-000000000E02}9060C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310779Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.937{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7907-6196-B680-000000000E02}8912C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310778Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.937{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-7907-6196-B580-000000000E02}6088C:\Windows\System32\schtasks.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310777Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.937{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-78E0-6196-AD80-000000000E02}5108C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310776Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.935{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-78A5-6196-A280-000000000E02}2672C:\Windows\System32\WScript.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310775Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.933{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38222A47FEFC3603C5D7B891A7E4AEE2,SHA256=4A876BD1DBD9759690245599E8B644D83CEC6A3097DAA33CAE768F3871844200,IMPHASH=00000000000000000000000000000000falsetrue 10341000x800000000000000017310774Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.931{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6399-6196-1A7E-000000000E02}5348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310773Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.926{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6399-6196-197E-000000000E02}348C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310772Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.926{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6397-6196-187E-000000000E02}1856C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310771Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.920{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-936D-6193-B527-000000000E02}6292C:\Program Files\Greenshot\Greenshot.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310770Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.916{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F14-6192-DD04-000000000E02}4136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310769Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:25.915{CBEA6AB7-780D-6197-DB9E-000000000E02}80603716C:\Windows\system32\dxdiag.exe{CBEA6AB7-6F14-6192-DA04-000000000E02}3932C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\dxdiagn.dll+34389|C:\Windows\System32\dxdiagn.dll+3103d|C:\Windows\System32\dxdiagn.dll+131b0|C:\Windows\system32\dxdiag.exe+21a6|C:\Windows\system32\dxdiag.exe+124c7|C:\Windows\system32\dxdiag.exe+22c18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310814Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.959{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F34367BD8FECB7475B28CB47AE58505,SHA256=132C2AE713043FF77B256D33C259C7ABD752163FDD42F3C74DBC814585ED7D50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121277Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121276Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121275Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121274Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121273Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121272Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121271Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121270Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121269Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121268Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C45-6192-0500-000000000F02}408524C:\Windows\system32\csrss.exe{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000001121267Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121266Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.371{068A336D-6CBE-6192-9900-000000000F02}38762264C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000001121265Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:26.357{068A336D-7812-6197-89A1-000000000F02}3220C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{068A336D-6C45-6192-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{068A336D-6CBE-6192-9900-000000000F02}3876C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000017310813Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310812Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310811Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310810Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18567548C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310809Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310808Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310807Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.403{CBEA6AB7-6397-6196-187E-000000000E02}18566016C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310806Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.387{CBEA6AB7-6F14-6192-DE04-000000000E02}41924312C:\Windows\system32\taskhostw.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310805Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310804Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310803Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310802Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.385{CBEA6AB7-6397-6196-187E-000000000E02}18565664C:\Windows\explorer.exe{CBEA6AB7-780D-6197-DB9E-000000000E02}8060C:\Windows\system32\dxdiag.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x800000000000000017310801Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:21.586{CBEA6AB7-6AA1-6192-DA00-000000000E02}3684C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-970.attackrange.local60120-false10.0.1.12-8000- 10341000x800000000000000017310800Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.035{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310799Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.033{CBEA6AB7-6A01-6192-0C00-000000000E02}8444380C:\Windows\system32\svchost.exe{CBEA6AB7-69FF-6192-0B00-000000000E02}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x800000000000000017310798Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:26.033{CBEA6AB7-69FF-6192-0B00-000000000E02}624672C:\Windows\system32\lsass.exe{CBEA6AB7-6A01-6192-1600-000000000E02}1280C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1b02d|C:\Windows\system32\lsasrv.dll+27f0b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x800000000000000017310828Microsoft-Windows-Sysmon/Operationalwin-dc-970.attackrange.local-2021-11-19 10:10:27.972{CBEA6AB7-6AA7-6192-E300-000000000E02}1300NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B120FA049B436EAFC12E3A0A9EFCF0D5,SHA256=59CE73947136629158C4A916966B1B54C18F0DDEDC7CC29914C6BF12710BEFD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001121291Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.104{068A336D-6CCC-6192-D400-000000000F02}3096NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDE99FBC1958F9E9065B1A32C14A36A,SHA256=E9A7C58818A2CF80D64335D8259C055A1CF71AC60587A65A2521A80EF5DEE70D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001121290Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6CBE-6192-9D00-000000000F02}22683424C:\Windows\system32\conhost.exe{068A336D-7813-6197-8AA1-000000000F02}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000001121289Microsoft-Windows-Sysmon/Operationalwin-host-273.attackrange.local-2021-11-19 10:10:27.056{068A336D-6C46-6192-0C00-000000000F02}7246072C:\Windows\system32\svchost.exe{068A336D-6C47-6192-1E00-000000000F02}2016C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a583|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d3c|C:\Windows\System32\RPCRT4.dll+4a284|C:\Windows\System32\RPCRT4.dll+4919d|C:\Windows\System32\RPCRT4.dll+49a4b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791